At a recent technical forum in Vancouver, British Columbia, security experts gathered to talk shop. The event usually draws headlines. This March, it was Dragos Ruiu who captured the media attention when he said that Canada was ill-prepared for a cyberattack that could devastate its infrastructure. A 17-year-old could launch such an attack, he said, adding that the Canadian government needs to put more thought into its cybersecurity strategy.
“There's been a cybersecurity strategy promised now for years, without it having come to fruition,” agrees Rafal Rohozinski, CEO of SecDev, an Ottawa-based company focused on security research. Rohozinski's organization partners with the Citizen Lab at the Munk Centre for International Studies at the University of Toronto, and produced “Tracking GhostNet” and “Shadows in the Cloud,” two investigations into cyberespionage rings appearing to originate in Asia.
His frustration seems warranted. There has been no cohesive strategy to date, although there have been plenty of half-hearted efforts. In 2004, the Canadian government earmarked around $700 million for a concerted national security effort, but only $5 million went into a workforce to address cybersecurity issues.
Back then, admitted David Black, manager in 2008 of the cyber infrastructure protection section of the Royal Canadian Mounted Police (RCMP), the RCMP's cybersecurity strategy was “all over the place.” Then, it merged its operations together to form a cohesive unit. Speaking at a technical security conference in 2008, Black promised a Canadian cybersecurity strategy that would evolve over the next few months. But even major players like Microsoft, which Black said was working with the RCMP, were left unimpressed.
John Weigelt, national technology officer for Microsoft Canada, recalls that in 2005, the Canadian government launched the Canadian Cybersecurity Incident Response Centre (CCIRC). However, on the surface, it seems to be little more than a collection of bureaucrats with an RSS feed tracking major product vulnerabilities, along with a website. Compare this with the U.S. government, which has conducted a broad review of cybersecurity and subsequently released a cohesive strategy backed by its president. In fact, President Obama appointed longtime cybersecurity expert Howard Schmidt to a federal post to ensure the nation's cyber readiness. At the very least, say industry observers, this shows commitment from the top.
“The most important part of the way to get started bolstering a cybersecurity strategy is to establish some sort of vision and direction for Canada,” says Weigelt. He points to a recent consultation on Canada's digital economy by Industry Canada – a government department responsibile for regional economic progress and research and development – as an example of how the government is striving to establish a broader vision for the country's digital presence. But looking through the submissions made in that document, there seems to be little focus on cybersecurity.
No more excuses
What is holding things up? A focus on remediating the economic downturn is one issue, suggests Weigelt. But then, President Obama commissioned a cybersecurity review and launched a national strategy for cybersecurity during the first few months of his presidency, while grappling with the financial downturn during its gravest period. Perhaps the minority government in Canada could be to blame. But the U.S. Congress has been one of the most divided in history as it wrestles with controversial issues, such as health care reform and climate change legislation. Citizens north of the border may have to resign themselves to the fact that their government is simply sluggish on cybersecurity.
The Canadian government doesn't view cybersecurity in the same way as do private sector organizations, such as telecommunications operators, Rohozinski says. He adds that those responsible for cybersecurity matters have been left shouldering an inordinate amount of the security burden because of the government's complacency.
Things may be about to change, but the question remains: Will the change be enough? Sources close to the matter suggest that Bob Gordon, head of the cybersecurity initiative at Public Safety Canada, has a document already prepared. Not much is publicly known of the plans, although some insiders suggest that the document will focus relatively narrowly on network security.
One reason that the strategy might be developing more slowly is that policymakers may realize that the document needs to be expanded into something broader, says SecDev's Rohozinski. To be truly effective, a cybersecurity strategy should be holistic in nature, spanning a variety of different public policy areas, he warns. Simply concentrating on securing public networks is not enough.
“We need to speak to the broader issue of how we address cybersecurity in terms of broader policy,” he says. “Defending cyberspace is a domain through which U.S. values and foreign policy will be exercised and the freedom of access in cyberspace will be defended.”
What should be done in the meantime? “Some people say that if we only had a vision, we could get started,” says Weigelt. “My response is that we can start doing stuff today.”
So, in the absence of a firm government strategy, who should step up? SecDev's Rohozinski says that when the Canadian government finally does come to crack down on cybersecurity, it should adopt a measured approach in which it maintains the advantages of computer networks while helping to eliminate the risks.
“There's a real danger that by yielding to fear-mongering – that every computer is a knife at the throats of our families – we forget the positive benefits and potentially roll back the quasi-freedoms that we've seen in the last 20 years,” he says.
In a country that has been criticized for its Draconian approaches to surveillance and security during the Olympics and the G8 talks, that may be the toughest challenge of all.